Even as news of a potential scam aimed at Red Hat Linux users made headlines Monday, consultants and users of Linux and open source were debunking the e-mail that was sent to accounts as an obvious "un-Red Hat" phishing attempt.
The e-mail notified users of a vulnerability in several versions of the Red Hat Linux operating system, and asked them to immediately download a patch from a Fedora mirror site.
David Niemi, a consultant and Linux user based in Reston, Va., said his first impression of the e-mail was that it did not look like authentic Red Hat correspondence.
"This is not how Red Hat would normally [correspond]," Niemi said. "This is fishy to begin with; the HTML format is unusual as Red Hat typically sends unformatted messages."
Niemi said the e-mail was a "highly formatted message" that had been created with some sort of Microsoft Word tool.
"A Windows box created this -- Linux people would see that and get very suspicious because there is a very un-Red Hat look to it," he said.
Niemi said the download instructions for the patch were "very uncharacteristic" of Red Hat, and would have been a red flag for Linux users. Terms like "untar" that were used in bulleted download instructions in the e-mail are not what Red Hat typically uses in its e-mails.
"Red Hat is always in RPM format -- and they don't do patches -- they do updates," Niemi explained.
Niemi said Red Hat uses updates as opposed to patches because they are a much cleaner fix. Patches invalidate a faulty part of an application while the update approach is a complete reissue of an application.
One point Niemi made about the e-mail was that the creator was clever in his use of an accurately named Web site. The scam works better when a credible-sounding domain name -- in this case www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz -- is used instead of an IP address. When Niemi investigated the domain name Monday afternoon, it had been taken down.
The security threat to those using Red Hat Linux was relatively low, Niemi said, as he estimated the "threat level" of this attack a three out of 10.
Joe Sechman, a Unix/Linux system administrator based in Georgia, said he had not heard from one person who may have received the fake e-mail.
Sechman said he did not believe this was a case of an attack aimed specifically at Red Hat because it was open source, but rather that it was a reflection of the rise in adware, spyware and phishing attacks in the technology field in general.
"It was only a matter of time," he said.
Diana McKenna, a Unix systems administrator based in Massachusetts, agreed with Sechman's assessment.
"What this would tell me [is that] there is more of need to educate [the] general public on where to go to verify the information," she said.
According to the Red Hat Web site, its official security messages are never unsolicited, are only sent from firstname.lastname@example.org and are digitally signed using GNU Privacy Guard keys.
Let us know what you think about the story; e-mail: Jack Loftus, News Writer